Daily Brief

Yaroslav Vasinskyi, a Ukrainian national, was sentenced to 13 years and seven months for participating in the REvil ransomware attacks. Vasinskyi was required to pay $16 million in restitution and was involved in over 2,500 ransomware incidents demanding over $700 million in ransoms. He was arrested in October 2021 while attempting to cross into Poland and faced charges including conspiracy to commit fraud and money laundering. His criminal activities included leveraging a zero-day vulnerability in Kaseya VSA software, impacting over 1,500 global companies. REvil, which Vasinskyi was affiliated with, was one of the most notorious ransomware operations, culminating in a significant attack on Kaseya in 2021. Following his extradition to the U.S. in March 2022, Vasinskyi pled guilty to an 11-count indictment, though he faced a maximum of 115 years. REvil was forcibly shut down in October 2021 after law enforcement in Russia heightened actions against the group, leading to several arrests.

Several widely-used Android applications have been found vulnerable to a path traversal flaw, allowing file overwriting in the app's home directory. The vulnerability could enable malicious apps to execute arbitrary code or steal authentication tokens, potentially leading to unauthorized access to the victim's online accounts. Affected apps include prominent names like Xiaomi and WPS Office, which have since addressed the issue after Microsoft's report in February 2024. The flaw exploits Android's content provider mechanism, which lacks proper validation of filenames and file content during inter-app data exchange. This vulnerability makes it possible for a rogue app to overwrite critical files within another app's data space, compromising security and privacy. Microsoft's Threat Intelligence team highlighted the ongoing issue and noted that this could be widespread among other apps that don't properly validate or sanitize file inputs. Google has issued guidelines instructing developers on secure file handling practices to mitigate such risks. This discovery underscores the continuous need for developers to enhance security measures in app design and implementation.

The US Cybersecurity and Infrastructure Security Agency (CISA) mandated federal agencies to patch a critical GitLab vulnerability, CVE-2023-7028, under active exploitation. This flaw in both Community and Enterprise editions of GitLab allows zero-click account takeovers due to improper access control. Initially disclosed by GitLab in January with a 10 severity rating, its exploitative status was confirmed with its addition to CISA's Known Exploited Vulnerabilities (KEV) list. Agencies typically have a 21-day window to implement security patches once vulnerabilities are listed on the KEV. The security gap, introduced in May 2023 following an update that altered email verification in password resets, has potential for widespread software supply chain attacks. Environments that activated two-factor authentication (2FA) on GitLab are not affected by this vulnerability. After the vulnerability's disclosure, the number of vulnerable GitLab instances reduced significantly, from 4,652 to 2,149, particularly in Europe and Asia.

A Ukrainian national, Yaroslav Vasinskyi, received over 13 years of imprisonment and an order to pay $16 million for ransomware attacks. Vasinskyi, associated with the REvil ransomware group, conducted over 2,500 ransomware attacks, demanding ransoms totaling more than $700 million. He was extradited to the U.S. after being arrested in Poland in October 2021, and pleaded guilty to multiple federal charges including conspiracy to commit fraud. REvil, a notorious cybercrime gang, has been linked to high-profile cases like JBS and Kaseya, and went offline in late 2021. The U.S. Justice Department also secured a forfeiture of approximately $6.1 million in USD and almost 40 Bitcoins linked to the ransomware activities. Additionally, the U.S. Treasury sanctioned Vasinskyi and another Russian national in November 2021, emphasizing efforts to combat cybersecurity threats and ransomware. The sentencings and prosecutions of such criminals underline ongoing international cooperation and a robust approach by U.S. authorities to curtail cybercrime operations.

Vulnerability scanners use databases of known weaknesses; however, given the proliferation of vulnerabilities—approximately 30,000 yearly—no single scanner covers all potential vulnerabilities effectively. Competitive analysis between different scanners such as Tenable’s Nessus and OpenVAS reveals significant gaps in their detection capabilities, highlighting disparities in the range of vulnerabilities each scanner detects. The practice of utilizing multiple scanning engines can offer more comprehensive coverage and a better understanding of an organization’s attack surface, thus reducing security risks. Intruder incorporates multiple scanning engines in one platform, including the addition of Nuclei, to provide a broad and deep coverage without the prohibitive costs typically associated with operating several scanners. Nuclei, an open-source scanning engine, is notable for its rapid development and deployment of checks for new vulnerabilities, thus enhancing the capability to protect against newly discovered threats. Intruder's integration of Nuclei supports a more robust vulnerability management strategy by increasing detection capabilities and securing more aspects of an organization's digital infrastructure against potential exploits.

Dropbox disclosed a breach in its Dropbox Sign service, initially acquired as HelloSign, affecting all users. Unidentified attackers accessed user data, including emails, usernames, phone numbers, and certain account settings. The breach extended to third parties who interacted with Dropbox Sign documents but did not have accounts, exposing their names and emails. No indications found that attackers accessed content of user agreements, templates, or payment info; breach limited to Dropbox Sign infrastructure. Attackers used an exploited automated system tool and a service account to breach the customer database. Dropbox is contacting affected users with protection steps, has reset passwords, and is rotating API keys and OAuth tokens. Dropbox is collaborating with law enforcement and regulatory bodies; ongoing investigation to assess full impact. This incident marks the second significant security compromise Dropbox has faced in under two years.

A novel botnet named Goldoon is actively exploiting CVE-2015-2051, a critical vulnerability in D-Link DIR-645 routers, allowing remote command execution. The exploitation process starts by retrieving a dropper script from a remote server that downloads further payloads tailored for various Linux system architectures. After initial infection, Goldoon malware sets up persistence on compromised devices and establishes communication with a command-and-control (C2) server. Attack capabilities include launching distributed denial-of-service (DDoS) attacks using an array of 27 different flooding methods across multiple protocols. The malware attempts to conceal its presence by deleting the dropper script post-execution and using humorous denial messages to deter direct examination of the server endpoint. Trend Micro highlights the increasing trend of using compromised routers as proxies by cybercriminals and nation-state actors to anonymize their activities. The U.S. government's recent actions against the MooBot botnet illustrate ongoing efforts to combat similar malicious infrastructure exploiting internet-facing devices.

The Australian Strategic Policy Institute (ASPI) report highlights Chinese tech companies' integral role in Beijing's global propaganda strategy. Chinese apps, games, and online platforms are used to harvest user data to monitor global public opinion and societal trends. Investments in globally operating Chinese firms allow Beijing access to vital data under China's unique storage laws, influencing consumer and societal understanding. ASPI argues that technology like generative AI and immersive tech (AR, VR) is being developed to shape and control global narratives and public perception. Limiting platforms like TikTok is insufficient; the broader impact of China's technological advancements needs comprehensive policy consideration. Recommendations include scrutinizing digital supply chains in tech procurement and reclassifying certain tech as surveillance goods. Standardization of data storage practices globally could limit authoritarian data misuse, according to ASPI. Contrasting views from other think tanks suggest inefficiencies may undermine Beijing's ability to manage such a vast control system internationally.

Yaroslav Vasinksyi, a 24-year-old Ukrainian national, has been sentenced to nearly 14 years in prison for his involvement with the REvil ransomware attacks. Vasinksyi and his associates conducted over 2,500 ransomware attacks, extorting over $700 million from various organizations and individuals globally. He was arrested in 2021 near the Poland-Ukraine border and extradited to the U.S., where he pleaded guilty to an 11-count indictment, including fraud and money laundering conspiracies. A U.S. court has ordered Vasinksyi to pay more than $16 million in restitution, reflecting a part of the damages caused by his cybercriminal activities. The Justice Department successfully recovered millions in ransom payments, including significant amounts of Bitcoin and cash, traced back to Vasinksyi and other REvil members. REvil, known for its double-extortion tactics, stole sensitive data before encrypting victims' files, threatening data leaks if ransoms were not paid. The arrest and sentencing showcase the extent of US and international law enforcement collaboration to combat global cybercrime and bring perpetrators to justice.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reported active exploitation of a critical GitLab vulnerability. Identified as CVE-2023-7028 with a CVSS score of 10.0, the flaw allows attackers to send password reset emails to unverified addresses, facilitating account takeovers. Originally introduced in GitLab version 16.1.0, the vulnerability affects all authentication mechanisms, including those with two-factor authentication, though these accounts cannot be fully taken over. Potential impacts of the exploit include unauthorized access to GitLab accounts, theft of sensitive data, and insertion of malicious code into source code repositories. Successful attacks could compromise entire supply chains by manipulating CI/CD pipeline configurations or inserting malware. Fixed versions of GitLab that address the vulnerability include 16.5.6, 16.6.4, 16.7.2, and backported versions for earlier releases. CISA has mandated federal agencies to apply the patches by May 22, 2024, to mitigate risks associated with the vulnerability.

Cuttlefish malware specifically targets SOHO routers to monitor traffic and steal authentication data from web requests. The malware performs DNS and HTTP hijacking, primarily affecting internal network communications. Initial evidence links Cuttlefish to a previously identified malware cluster, HiatusRAT, although they affect different victims. Active since July 2023, with recent campaigns impacting 600 IP addresses mainly from Turkish telecom providers through April 2024. Deploys a bash script to gather and exfiltrate detailed host data to a controlled domain before downloading the Cuttlefish payload. Capable of sniffing network packets for cloud service credentials (e.g., AWS, CloudFlare) and can act as a proxy or VPN to transmit captured data. Updated hijack rules and malware operations are managed via a command-and-control server with secure communication channels. Highlights a sophisticated approach to eavesdropping and data theft via network manipulation and passive traffic sniffing.

Over a million records of Australians who visited pubs and clubs are posted on a leak site by an anonymous party. The compromised data includes names, partial addresses, dates of birth, and venue details, all verified by The Register. The data leak is associated with a tech services company called Outabox, which provided a digital sign-in system for clubs. Outabox allegedly allowed offshore developers, who were not paid, access to personal data including facial biometrics and licencing info. Outabox’s website acknowledges a potential unauthorized data breach and an ongoing investigation in collaboration with law enforcement. ClubsNSW informs member clubs about a cybersecurity incident involving their commonly used third-party IT provider. Wests Tradies, a club, recognized that their IT provider is the focus of a cyber extortion campaign without their prior knowledge. Local authorities are investigating, and victims may face significant costs for replacing compromised credentials, such as drivers' licenses.

Dropbox disclosed a significant security breach affecting its Dropbox Sign service. The attack compromised personal data including emails, usernames, phone numbers, and hashed passwords. Additional sensitive details accessed include API keys, OAuth tokens, and multi-factor authentication info. Third-party individuals who interacted with Dropbox Sign but did not have accounts also had their names and email addresses exposed. Despite the breach, there is no evidence that the content of users' Dropbox Sign accounts or their payment information was accessed. Dropbox's other services were not affected; the infrastructure for Dropbox Sign operates separately. Following the breach, Dropbox reset passwords, logged out users from devices, and rotated all compromised authentication tokens. Dropbox believes the attack originated from a compromised automated system configuration tool used by a service account.

Block, the fintech company founded by Jack Dorsey, is under scrutiny following claims of massive compliance lapses that could have enabled terrorist financing. A former employee leaked around 100 documents outlining substantial shortcomings in compliance measures within services like Square and Cash App. These documents suggest that known compliance issues were overlooked by leadership, with little done to rectify extensive vulnerabilities. Independent consultants identified nearly 50 issues requiring attention to ensure adherence to U.S. laws, though Block maintains such findings are typical in complex operational reviews. It's alleged that Square continued servicing merchants even after identifying sanctions violations and that Cash App’s design makes compliance checks almost unfeasible. The leaked claims include reports that thousands of possibly illegal transactions went unreported to governmental authorities. Following the leak and the onset of legal scrutiny, Block's stock price suffered a significant decline, indicating market reactions to potential regulatory repercussions.

HPE Aruba Networking released a security advisory for ArubaOS, highlighting critical remote code execution vulnerabilities. Four critical-severity vulnerabilities were identified, all of which are unauthenticated buffer overflow issues with a CVSS v3.1 score of 9.8. These vulnerabilities impact multiple versions of ArubaOS and could allow attackers to remotely execute code. The advisory also mentioned six other medium-severity vulnerabilities related to potential denial of service attacks. To protect against these security flaws, HPE Aruba recommends enabling Enhanced PAPI Security and updating to patched versions of ArubaOS. Updated versions of ArubaOS address all ten reported vulnerabilities, improving system security. As of now, there are no known active exploitations or proof-of-concept exploits for these vulnerabilities. System administrators are urged to install the updates immediately to prevent potential breaches and operational disruptions.